Understanding the Cyber Risks of Law Firms
November 2013 • Lockton Companies
EMILY FREEMAN
Lockton Global Technology and
Privacy Practice
[email protected]
Many law firms believe that cyber liability risks are
already covered by legal professional liability (LPL)
or indemnity insurance. While LPL insurance affords
™™
some coverage for cyber liability risks, it also includes a
Access to the cyber insurer’s external resources for
legal, forensics, and credit protection services in the
number of grey areas as well as specific areas where there
event of a data breach, not only in the U.S. but also
is clearly no coverage due to the scope of the insuring
increasingly in Europe and other parts of the world.
agreement, definitions, and exclusions.
™™
These resources are important, as data breaches
involve immediate response and specialist jurisdiction
It is important to remember, particularly in the grey areas
knowledge, and play out in a manner that is totally
of coverage, that LPL policies were designed to address
unlike the extended legal process of a professional
wrongful acts, errors, omissions, or breaches of contract
liability claim.
or duty arising out of the insured firm’s professional
services as attorneys, counselors at law, or notaries and
™™
Coverage for notification, forensics, and crisis
therefore do not specifically contemplate cyber risks.
management costs (direct costs) are not part of an
In the event of a cyber claim, these limitations may,
LPL insurance program.
at the very least, give rise to disputes regarding policy
™™
interpretation or denials of coverage by the professional
of civil fines and penalties are not part of an
liability insurer.
LPL program.
™™
Here are the major reasons why law firms should
buy cyber:
™™
Clear coverage for privacy regulatory and payment
Ability of Lockton’s cyber manuscript policy—
using specialist policy wording for law firms—to be
primary to the LPL policy and its excess tower.
High retention on LPL policies of large law firms
versus retentions on cyber policies (which can be
™™
as low as $250,000 for major global law firms).
Cyber policies cover data breaches where the
affected individuals are employees of the law firm
Effectively, the retention of a large law firm’s
anywhere in the world. LPL policies do not address
LPL policy removes the insurer from all but the
data breaches affecting the law firm’s employees,
largest single civil suit affecting either single or
applicants, retirees, and other parties.
multiple clients.
1
November 2013 • Lockton Companies
™™
Ability of Lockton’s cyber manuscript policy to
Privacy
cover client contractual indemnity requirements for
The violation of ever-evolving privacy laws or regulations that
data breaches.
™™
™™
permit individuals to control the collection, access, transmission,
Clear and affirmative language to deal with issues
use, and accuracy of their personally identifiable nonpublic
such as outsourcing and employees as perpetrators.
information. Behavior or practices in contradiction or in violation
No coverage with LPL for first-party interruption/
of the corporate privacy policy is a significant aspect of this risk.
suspension of the law firm’s computer network,
A law firm’s exposure to cyber risk is twofold:
either directly or contingent (outsourced IT/
hosting).
1.
As a data collector/owner of sensitive information
about its employees, including applicants
To provide background from a liability
perspective, cyber risks arise from a combination
of security and privacy exposures.
and retirees.
2.
As a professional service provider to its clients.
This is an important point, as the key elements of
cyber losses—civil liability; privacy regulatory costs;
Security
and notification, forensics, and crisis management
The unauthorized access, exposure, disclosure, use, destruction,
costs—develop very differently in the role of a service
or modification of nonpublic, personal, or sensitive corporate,
provider versus that of a data owner. Data breaches
third-party information (both electronic and paper), including
the failure to take steps to protect such information from theft by
social engineering techniques or failure to secure mobile devices that
contain such information.
can create cross-border regulatory investigations,
notification obligations, and civil suits as the venue
follows the residency of the affected individual(s), not
where the breach occurred or where the services were
Law firms are a major user of mobile devices such
performed. Mandatory notification—required currently
as laptops, tablets, and smart phones. Security risks
in 46 U.S. states and a number of countries, including
must be seen from a technology, people, and processes
Germany—has multiple financial and reputational
perspective, including the possibility that trusted
consequences. There is a generally accepted view in U.S.
employees or trusted third parties with access to the
state notification laws that encrypted data is outside of
network are potential perpetrators (or may be in league
the mandatory notification requirement. In 2014, the EU
with the perpetrators) of a security breach. This is a
is moving to implement mandatory notification across
major risk for law firms and a complex one, given the
all member countries and potentially imposing very large
variability of law and regulation globally.
fines based upon global revenues of the parent company.
Even in jurisdictions where notification is not required,
the common practice has been to provide some form of
voluntary notification.
2
November 2013 • Lockton Companies
Data breaches can create cross-border regulatory investigations, notification obligations,
and civil suits as the venue follows the residency of the affected individual(s), not where
the breach occurred or where the services were performed.
Typically, security/privacy civil claims in the U.S. are
legal practices, like medical malpractice, personal injury,
filed as class actions. But most courts have found that
and workers’ compensation, involve particularly sensitive
the plaintiffs do not meet the requirement of actual or
personal information. Other corporate practices, like
imminent injury or financial damages. Plaintiff lawyers
acquisitions and intellectual property, can potentially
have turned to the asbestos litigation of the past and are
expose sensitive third-party corporate information.
using the legal theory that future harm will likely occur
Clients, particularly in high-compliance industries such
to the affected individuals in the class; and therefore,
as financial services, healthcare, government, utilities,
the case should be certified. Although these classes are
and large public corporations, are very concerned from
generally not certified, the legal costs—both defense and
a due diligence and contractual perspective about any
payment of plaintiff lawyers—can run in the millions.
outsourcing provider, including professional services
Regulators are active in this area, and insurers are seeing
the growth of regulatory investigations and a rise in
firms. Strong indemnity requirements in event of a
breach of confidentiality or data breach may be inserted
into the client contract with its law firm.
fines or penalties, including imposition of consumer
redress funds.
Law firms also face first-party cyber risks to their
Law firms may outsource aspects of its legal services, IT,
or business process services; security and privacy events
may arise out of acts, errors, or omissions of such
outside vendors. Although a function can be outsourced,
law firms cannot escape its responsibility from a legal
computer systems, a time-sensitive critical asset.
Traditional property insurance covers physical loss to
physical things: the data center and computer hardware.
Many risk scenarios involving damage to electronic
digital assets and network interruptions do not involve
physical loss. Also loss of net income arising out of
and contractual perspective for the data breach.
adverse media attention surrounding a data breach is not
insured in a property program.
A law firm’s client—as the presumptive data owner—
can face significant financial costs and reputation
damage caused by a law firm’s data breach. Some specific
3
November 2013 • Lockton Companies
LOC K TON ’ S C Y BER I N S U R A NCE POL I C Y F OR LAW F I RMS
We do not recommend that any legal professional
Our job is to assist your team in outlining your overall
services firm purchase an off-the-shelf cyber liability
compliance controls and IT security practices. We use
product. Lockton has developed a specific manuscript
the single underwriting conference call with our leading
wording for law firms designed to address the particular
markets (no multiple calls or individual meetings) and
requirements of the client and the issues involving the
require all invited underwriters to sign a nondisclosure
presence of some overlaps between the LPL world and
agreement to attend the call. We provide specific
the cyber world.
guidance to help the law firm’s general counsel and IT
Lockton’s cyber insurance addendum policy recognizes
the reality that a data breach by a professional services
firm in performing professional services will likely
security leader present the firm and its security/privacy
posture and controls.
LOC K TON I S KNOW N F OR :
trigger a demand on the data breach indemnity in a
client contract. Our policy for cyber liability contains an
™™
solution in respect of cyber risks for law firms with a specialist
affirmative grant of coverage for a business associate or
client contractual indemnity for a data breach.
Our ability to design the broadest, customized risk-transfer
team (Lockton’s Global Technology and Privacy Group).
™™
Our ability to provide risk management advice and support,
including recommendations for best practices.
The wording is also structured to reflect the law firm’s
™™
Our commitment to you that our most senior and technically
executive titles and substantial amendments to defense
proficient Associates will design, market, and implement your
of a claim section for large law firms that have internal
cyber program, including our support in the event of a security
privacy law expertise.
or privacy breach.
™™
A clear and concise implementation plan to obtain
cyber insurance.
Lockton has been a major initiator of change in the
™™
process of securing cyber liability coverage. We host
an underwriting briefing conference call for your cyber
Our market leadership on new coverages, including first
coverage for loss of computer networks, whether direct or
contingent (outsourced IT/hosting).
liability coverage, rather than completing a standard,
lengthy insurer IT security application.
www.lockton.com
© 2013 Lockton, Inc. All rights reserved.
Images © 2013 Thinkstock. All rights reserved.
g\whitepaper\freeman\2013\freeman_cyberforlawfirms_nov2013_4pgs.indd
4